PT GREEN SOURCE STANDARD OPERATING PROCEDURE SOP NO: IT/03

INDONESIA
PROSES PENGELOLAAN JARINGAN Rev. :0

Page: 1 of 3 Document control status: Date: 05.02.2021

Prepared by: Approved by: Rev. date: -

Network Connectivity
Dial-In Connections
Access to Practice information resources through modems or other dial-in devices /
software, if available, shall be subject to authorization and authentication by an access
control system. Direct inward dialing without passing through the access control system is
prohibited.

Dial-up numbers shall be unlisted.

Systems that allow public access to host computers, including mission-critical servers,
warrant additional security at the operating system and application levels. Such systems shall
have the capability to monitor activity levels to ensure that public usage does not
unacceptably degrade system responsiveness.

Dial-up access privileges are granted only upon the request of a department head with the
submission of the Network Access Form and the approval of the Privacy Officer or
appropriate personnel.

Dial Out Connections

Practice provides a link to an Internet Service Provider. If a user has a specific need to link
with an outside computer or network through a direct link, approval must be obtained from
the Privacy Officer or appropriate personnel. The appropriate personnel will ensure
adequate security measures are in place

Telecommunication Equipment
Certain direct link connections may require a dedicated or leased phone line. These facilities
are authorized only by the Privacy Officer or appropriate personnel and ordered by the
appropriate personnel. Telecommunication equipment and services include but are not
limited to the following:

 phone lines
 fax lines
 calling cards
 phone head sets
 software type phones installed on workstations
 conference calling contracts
 cell phones
 Blackberry type devices
PT GREEN SOURCE STANDARD OPERATING PROCEDURE SOP NO: IT/03
INDONESIA
PROSES PENGELOLAAN JARINGAN Rev. :0

Page: 2 of 3 Document control status: Date: 05.02.2021

Prepared by: Approved by: Rev. date: -

 call routing software

 call reporting software
 phone system administration equipment
 T1/Network lines
 long distance lines
 800 lines
 local phone lines
 PRI circuits
 telephone equipment

Permanent Connections
The security of Practice systems can be jeopardized from third party locations if security
practices and resources are inadequate. When there is a need to connect to a third party
location, a risk analysis should be conducted. The risk analysis should consider the type of
access required, the value of the information, the security measures employed by the third
party, and the implications for the security of Practice systems. The Privacy Officer or
appropriate personnel should be involved in the process, design and approval.

Emphasis on Security in Third Party Contracts

Access to Practice computer systems or corporate networks should not be granted until a
review of the following concerns have been made, and appropriate restrictions or covenants
included in a statement of work (“SOW”) with the party requesting access.

 Applicable sections of the Practice Information Security Policy have been reviewed
and considered.
 Policies and standards established in the Practice information security program
have been enforced.

 A risk assessment of the additional liabilities that will attach to each of the parties to
the agreement.
 The right to audit contractual responsibilities should be included in the agreement or
SOW.
 Arrangements for reporting and investigating security incidents must be included in
the agreement in order to meet the covenants of the HIPAA Business Associate
Agreement.
 A description of each service to be made available.
 Each service, access, account, and/or permission made available should only be the
minimum necessary for the third party to perform their contractual obligations.
 A detailed list of users that have access to Practice computer systems must be
maintained and auditable.
 If required under the contract, permission should be sought to screen authorized
users.
PT GREEN SOURCE STANDARD OPERATING PROCEDURE SOP NO: IT/03
INDONESIA
PROSES PENGELOLAAN JARINGAN Rev. :0

Page: 3 of 3 Document control status: Date: 05.02.2021

 Dates and times when the service is to be available should be agreed upon in
advance.
Prepared by: Approved by: Rev. date: -

 Procedures regarding protection of information resources should be agreed upon in

advance and a method of audit and enforcement implemented and approved by
both parties.
 The right to monitor and revoke user activity should be included in each agreement.
 Language on restrictions on copying and disclosing information should be included in
all agreements.
 Responsibilities regarding hardware and software installation and maintenance
should be understood and agreement upon in advance.
 Measures to ensure the return or destruction of programs and information at the
end of the contract should be written into the agreement.
 If physical protection measures are necessary because of contract stipulations, these
should be included in the agreement.
 A formal method to grant and authorized users who will access to the data collected
under the agreement should be formally established before any users are granted
access.
 Mechanisms should be in place to ensure that security measures are being
followed by all parties to the agreement.

 Because annual confidentiality training is required under the HIPAA regulation, a

formal procedure should be established to ensure that the training takes place, that
there is a method to determine who must take the training, who will administer the
training, and the process to determine the content of the training established.
 A detailed list of the security measures which will be undertaken by all parties to the
agreement should be published in advance of the agreement.

Firewalls
Authority from the Privacy Officer or appropriate personnel must be received before any
employee or contractor is granted access to a Practice router or firewall.